Using the Permissions Explorer
Note: This tool is applicable only to those entities that use profile-based permissions (portfolios, assets, reports, dashboards, filters, and requests (new), projects). See About Profile-Based Permissions
Administering permissions is a complex process. The enterprise model offers a great deal of flexibility, which ultimately gives you, the user, a lot of power. With great power comes great responsibility....(I couldn't resist).
The Permissions Explorer is a tool that allows you to trace every permission granted to every user, and the converse: every permission granted on every entity. The Explorer provides a bi-directional, visual representation of all the permissions in your environment to help you quickly understand and verify who can do what - and how.
The Explorer is designed to work with the enterprise permissions model, and it does not support any of the older "legacy" permissions in the system. This means it can be used to explore entities that use the new permissions only. See Working with Permission Profiles.
Who Has Permissions On This Entity (and what are they)?
To explore the permissions granted on an entity, you simply select an entity (such as a portfolio or a project or a resource) and choose Actions > View People With Permissions On This Entity (or choose it from the right-click context menu) to open a window that shows the users with permission on the entity, and how they got the permissions.
What Entities Does This User Have Permissions On (and how)?
To explore the permissions that a user has been granted, for example, you select a user from the Resource Workbench or the Resources page and choose Actions > View User's Permissions to open a window that shows the permissions the selected user has been granted.
The Permissions Explorer currently supports:
Organization Finance Settings
Organization Internal Rates
Anatomy of the Permissions Explorer
You display the explorer in the following ways:
Select an entity from a list page and choosing Actions > View Permissions on this Entity. Using this option puts the explorer in the context of the entity (keep in mind that the entity can also be a resource/user).
Select a resource from the Resource Workbench or the Resource page and choosing Actions > View User's Permissions. Using this option puts the explorer in the context of the user.
The Permissions Explorer will open in a new tab.
If the context is an entity (like the screenshot above, as is indicated by the explorer title), the left panel displays the users with permissions on the entity (Hyperspace Bypass). Only users with permissions on the Hyperspace Bypass project are displayed in the list. The middle panel displays the various profiles granting permission for the selected user to the selected entity; the Rule Type reflects how the permission is granted (global or team), and the Applied Entity shows how the user received the profile (as an individual user, or as part of a group or unit).
If the context is the user (see screenshot below), the top-left panel shows all the entity types the user has permission on. When you select an entity type, the lower-left pane shows all the instances of that entity type that user has permissions on. The middle panel shows one or profile granting permission to the user on the selected entity instance.
Note: Users can be included in multiple profiles for the same instance. This is good to remember when troubleshooting why a user still has permissions even after you deleted a profile.
Things to Keep in Mind
The explorer context is indicated by the explorer title:
- entity context = "People with Permissions on <entity type>:<entity title>"
- user context = "User's Permissions:<user name>"
Multiple profiles for the same entity:
A user can be mapped to multiple profiles for the same entity. For example, the user might be on the team of a project with a Team profile, and might also be a member of a group that has a global profile for the same project. This means if you delete the user from the project team, he/she will still have permissions to the project granted by the group profile.
Some questions the explorer can help you answer:
Who has permissions on my project?
I set up some permissions, but I'm not sure I did it correctly. How can I spot-check some users that I know should have certain permissions.
Someone has access to a project and I don't understand how.
Scenario 1: Who has permissions on my project?
You can easily see the members of the Hyperspace Bypass project team, along with their corresponding permissions profile, by simply looking at the project Team: Profile-Based Permissions section:
However, there maybe be permissions granted on Hyperspace Bypass that did not come by way of the project team. You can use the Permissions Explorer to see the routes of these additional permissions. For example, a user might be a member of a group that has global permissions on the project.
- Navigate to the Projects list and select Hyperspace Bypass.
- Choose Actions > View People with Permissions on this Entity.
The Permissions Explorer opens in a separate tab and displays a list of users/groups/units with permissions on Hyperspace Bypass. Alex Adams is at the top of the list again.
- Select Alex Adams.
Alex is associated with 2 profiles: Project Contributor and Project Viewer.
- Select Project Contributor.
The Project Contributor profile has a Team rule type, which means it conveys permissions for a specific users on the team of a specific entity. This profile was used when Alex was added to the Hyperspace Bypass project team. The actual permissions conveyed by the profile are displayed in the Permissions Hierarchy on the right-hand side; you can see that there are View permissions included in the profile.
- Now click Global Project View.
The Global Project View profile has a Group rule type, which means it conveys global project permissions (all instances) to all members of the group the profile is applied to: Full Users. Alex is a member of the Full Users group, which is the group this profile is applied to.
The Full Users group is given view permissions to all projects - you can see in the Permissions Hierarchy that there are View permissions.
It's good to know about this additional profile, because you might remove Alex from the project team and assume that he no longer has access to the Hyperspace Bypass project. To fully remove him, you'll have to remove the group profile, which would revoke permissions for all members of the Full Users group.